ARM template for elastic database pool fails - azure

I'm having issues trying to deploy an ARM with ElasticPool GeneralPurpose edition. ihave to tried this in mulitple environment but it keeps failing. I'm using the code below which referenced from the Github repository of starter templates
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"administratorLogin": {
"type": "string",
"metadata": {
"description": "The SQL Server administrator login"
}
},
"administratorLoginPassword": {
"type": "securestring",
"metadata": {
"description": "The SQL Server administrator login password."
}
},
"serverName": {
"type": "string",
"metadata": {
"description": "The SQL Server name."
}
},
"elasticPoolName": {
"type": "string",
"metadata": {
"description": "The Elastic Pool name."
}
},
"edition": {
"type": "string",
"defaultValue": "Standard",
"allowedValues": [
"Basic",
"Standard",
"Premium",
"GP_Gen5",
"BC_Gen5"
],
"metadata": {
"description": "The Elastic Pool edition."
}
},
"capacity": {
"type": "int",
"metadata": {
"description": "The Elastic Pool DTU or nomber of vcore."
}
},
"databaseCapacityMin": {
"type": "int",
"defaultValue": 0,
"metadata": {
"description": "The Elastic Pool database capacity min."
}
},
"databaseCapacityMax": {
"type": "int",
"metadata": {
"description": "The Elastic Pool database capacity max."
}
},
"databasesNames": {
"type": "array",
"defaultValue": [
"db1",
"db2"
],
"metadata": {
"description": "The SQL Databases names."
}
},
"databaseCollation": {
"type": "string",
"defaultValue": "SQL_Latin1_General_CP1_CI_AS",
"metadata": {
"description": "The SQL Database collation."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"editionToSkuMap": {
"Basic": {
"family": null,
"name": "BasicPool",
"tier": "Basic"
},
"Standard": {
"family": null,
"name": "StandardPool",
"tier": "Standard"
},
"Premium": {
"family": null,
"name": "PremiumPool",
"tier": "Premium"
},
"GP_Gen5": {
"family": "Gen5",
"name": "GP_Gen5",
"tier": "GeneralPurpose"
},
"BC_Gen5": {
"family": "Gen5",
"name": "BC_Gen5",
"tier": "BusinessCritical"
}
},
"skuName": "[variables('editionToSkuMap')[parameters('edition')].name]",
"skuTier": "[variables('editionToSkuMap')[parameters('edition')].tier]",
"skuFamily": "[variables('editionToSkuMap')[parameters('edition')].family]"
},
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2020-02-02-preview",
"location": "[parameters('location')]",
"name": "[parameters('serverName')]",
"properties": {
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"version": "12.0"
}
},
{
"type": "Microsoft.Sql/servers/elasticPools",
"apiVersion": "2020-02-02-preview",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers/', parameters('serverName'))]"
],
"location": "[parameters('location')]",
"name": "[concat(parameters('serverName'), '/', parameters('elasticPoolName'))]",
"sku": {
"name": "[variables('skuName')]",
"tier": "[variables('skuTier')]",
"family": "[variables('skuFamily')]",
"capacity": "[parameters('capacity')]"
},
"properties": {
"perDatabaseSettings": {
"minCapacity": "[parameters('databaseCapacityMin')]",
"maxCapacity": "[parameters('databaseCapacityMax')]"
}
}
},
{
"type": "Microsoft.Sql/servers/databases",
"name": "[concat(parameters('serverName'), '/', parameters('databasesNames')[copyIndex()])]",
"location": "[parameters('location')]",
"apiVersion": "2020-02-02-preview",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers/', parameters('serverName'))]",
"[resourceId('Microsoft.Sql/servers/elasticpools', parameters('serverName'), parameters('elasticPoolName'))]"
],
"sku": {
"name": "ElasticPool",
"tier": "[variables('skuTier')]",
"capacity": 0
},
"properties": {
"collation": "[parameters('databaseCollation')]",
"elasticPoolId": "[resourceId('Microsoft.Sql/servers/elasticpools', parameters('serverName'), parameters('elasticPoolName'))]"
},
"copy": {
"name": "addDatabasesInElasticPool",
"count": "[length(parameters('databasesNames'))]"
}
},
{
"apiVersion": "2020-02-02-preview",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers/', parameters('serverName'))]"
],
"location": "[parameters('location')]",
"name": "[concat(parameters('serverName'), '/', 'AllowAllWindowsAzureIps')]",
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
},
"type": "Microsoft.Sql/servers/firewallrules"
}
]
}
The deployment fails with this error
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InvalidTierSkuCombination","message":"The tier 'GeneralPurpose' does not support the sku 'SQLDB_GP_Gen5'."}]}
Please what can be issue here?

I think the error message explains the cause of the deployment failure
The tier 'GeneralPurpose' does not support the sku 'SQLDB_GP_Gen5'
The mapping of tier to sku is controlled by the input parameter edition, and the editionToSkuMap variable map, which indicates to me that the variable map is not correct. You'll likely need to dig into what the valid sku values are for a tier with the az CLI
az sql elastic-pool list-editions -l -o table
and update the variable mapping, then try to deploy again. It's probably worth opening an issue on the Azure Quickstart templates repository too

Please download this template (template.json & parameters.json) from GitHub that will allow you to create an Azure SQL Database Elastic Pool - General Purpose with one database included.

Related

Azure resources created using custom provider not showing on azure portal

I created an Azure custom provider by following the documentation in the link below:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/custom-providers/
I am able to successfully create resources for the types defined in the custom provider using ARM templates. However, I do not see those resources on the azure portal under the specific resource group.
Is this behavior expected?
I have deployed the custom provider in azure portal using ARM template by following below steps
Open azure portal and search for custom deployment as below
Taken reference from Microsoft Doc
After opening custom deployment, i have used the below code and then click on save
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"funcName": {
"type": "string",
"defaultValue": "[uniqueString(resourceGroup().id)]",
"metadata": {
"description": "The unique name of the function application"
}
},
"storageName": {
"type": "string",
"defaultValue": "[concat('store', uniquestring(resourceGroup().id))]",
"metadata": {
"description": "The unique name of the storage account."
}
},
"location": {
"type": "string",
"defaultValue": "eastus",
"metadata": {
"description": "The location for the resources."
}
},
"zipFileBlobUri": {
"type": "string",
"defaultValue": "https://github.com/Azure/azure-docs-json-samples/blob/master/custom-providers/_artifacts/functionpackage.zip?raw=true",
"metadata": {
"description": "The URI to the uploaded function zip file"
}
}
},
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-03-01",
"name": "[parameters('funcName')]",
"location": "[parameters('location')]",
"kind": "functionapp",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageName'))]"
],
"properties": {
"name": "[parameters('funcName')]",
"siteConfig": {
"appSettings": [
{
"name": "AzureWebJobsDashboard",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageName')), '2022-05-01').keys[0].value)]"
},
{
"name": "AzureWebJobsStorage",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageName')), '2022-05-01').keys[0].value)]"
},
{
"name": "FUNCTIONS_EXTENSION_VERSION",
"value": "~2"
},
{
"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageName')), '2022-05-01').keys[0].value)]"
},
{
"name": "WEBSITE_CONTENTSHARE",
"value": "[toLower(parameters('funcName'))]"
},
{
"name": "WEBSITE_NODE_DEFAULT_VERSION",
"value": "6.5.0"
},
{
"name": "WEBSITE_RUN_FROM_PACKAGE",
"value": "[parameters('zipFileBlobUri')]"
}
]
},
"clientAffinityEnabled": false,
"reserved": false
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-05-01",
"name": "[parameters('storageName')]",
"location": "[parameters('location')]",
"kind": "StorageV2",
"sku": {
"name": "Standard_LRS"
}
},
{
"type": "Microsoft.CustomProviders/resourceProviders",
"apiVersion": "2018-09-01-preview",
"name": "[parameters('funcName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Web/sites/',parameters('funcName'))]"
],
"properties": {
"actions": [
{
"name": "ping",
"routingType": "Proxy",
"endpoint": "[concat('https://', parameters('funcName'), '.azurewebsites.net/api/{requestPath}')]"
}
],
"resourceTypes": [
{
"name": "users",
"routingType": "Proxy,Cache",
"endpoint": "[concat('https://', parameters('funcName'), '.azurewebsites.net/api/{requestPath}')]"
}
]
}
},
{
"type": "Microsoft.CustomProviders/resourceProviders/users",
"apiVersion": "2018-09-01-preview",
"name": "[concat(parameters('funcName'), '/ana')]",
"location": "parameters('location')",
"dependsOn": [
"[concat('Microsoft.CustomProviders/resourceProviders/',parameters('funcName'))]"
],
"properties": {
"FullName": "Ana Bowman",
"Location": "Moon"
}
}
],
"outputs": {
"principalId": {
"type": "string",
"value": "[reference(concat('Microsoft.Web/sites/', parameters('funcName')), '2022-03-01', 'Full').identity.principalId]"
}
}
}
Fill the following details like Subscription id, resource group, location and click on review+create
After deploying into the azure portal, we will get below
After deploying it to azure poral Goto azure portal and click on your resource group and click on the check box you will find as below

Botframework Azure Template dependsOn MsTeamsChannel CLI Deployment template validation failed

I'm trying to execute this instruction of Azure CLI:
az deployment sub create --name "ThisIsATest" --location northeurope
--template-file /Users/muzcateg/Documents/TeaBotframeworkVIP/DeploymentTemplates/template-with-new-rg.json
--parameters appId="7450874d-a8cb-4613-b021-621a34b21bbb" appSecret="ThisIsATest123456789" botId="ThisIsATest" botSku=F0 newAppServicePlanName="ThisIsATestServicePlan" newWebAppName="ThisIsATestWebApp" groupName="ThisIsATestResources" groupLocation="northeurope" newAppServicePlanLocation="northeurope"
--output json
And I'm getting this error:
{
'additionalProperties': {},
'code': 'InvalidTemplate',
'message': "Deployment template validation failed: 'The resource '/subscriptions/63c45336-738e-4431-b8cd-21097fd6a9f4/resourceGroups/ThisIsATestResources/providers/Microsoft.BotService/botServices/ThisIsATest/channels/MsTeamsChannel' at line '1' and column '2080' doesn't depend on parent resource '/subscriptions/63c45336-738e-4431-b8cd-21097fd6a9f4/resourceGroups/ThisIsATestResources/providers/Microsoft.BotService/botServices/ThisIsATest'. Please add dependency explicitly using the 'dependsOn' syntax. Please see https://aka.ms/arm-template/#resources for usage details.'.",
'target': None,
'details': None,
'additionalInfo': [{
'additionalProperties': {},
'type': 'TemplateViolation',
'info': {
'lineNumber': 1,
'linePosition': 2080,
'path': 'properties.template.resources[2].resources[0]'
}
}]
}
I'm using the standard template (template-with-new-rg.json) from the Botframework GIT examples, I have tried a lot of changes to see if I can make it work but with no success.
A colleague of mine is executing the instruction correctly in her PC, She is using CLI 2.7.0, I was using 2.8.0 and I change it to 2.7.0 too, we are supposed to have the same permissions in Azure.
Just in case, this is the template code:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"groupLocation": {
"type": "string",
"metadata": {
"description": "Specifies the location of the Resource Group."
}
},
"groupName": {
"type": "string",
"metadata": {
"description": "Specifies the name of the Resource Group."
}
},
"appId": {
"type": "string",
"metadata": {
"description": "Active Directory App ID, set as MicrosoftAppId in the Web App's Application Settings."
}
},
"appSecret": {
"type": "string",
"metadata": {
"description": "Active Directory App Password, set as MicrosoftAppPassword in the Web App's Application Settings."
}
},
"botId": {
"type": "string",
"metadata": {
"description": "The globally unique and immutable bot ID. Also used to configure the displayName of the bot, which is mutable."
}
},
"botSku": {
"type": "string",
"metadata": {
"description": "The pricing tier of the Bot Service Registration. Acceptable values are F0 and S1."
}
},
"newAppServicePlanName": {
"type": "string",
"metadata": {
"description": "The name of the App Service Plan."
}
},
"newAppServicePlanSku": {
"type": "object",
"defaultValue": {
"name": "S1",
"tier": "Standard",
"size": "S1",
"family": "S",
"capacity": 1
},
"metadata": {
"description": "The SKU of the App Service Plan. Defaults to Standard values."
}
},
"newAppServicePlanLocation": {
"type": "string",
"metadata": {
"description": "The location of the App Service Plan. Defaults to \"westus\"."
}
},
"newWebAppName": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The globally unique name of the Web App. Defaults to the value passed in for \"botId\"."
}
}
},
"variables": {
"appServicePlanName": "[parameters('newAppServicePlanName')]",
"resourcesLocation": "[parameters('newAppServicePlanLocation')]",
"webAppName": "[if(empty(parameters('newWebAppName')), parameters('botId'), parameters('newWebAppName'))]",
"siteHost": "[concat(variables('webAppName'), '.azurewebsites.net')]",
"botEndpoint": "[concat('https://', variables('siteHost'), '/api/messages')]"
},
"resources": [
{
"name": "[parameters('groupName')]",
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2018-05-01",
"location": "[parameters('groupLocation')]",
"properties": {
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"name": "storageDeployment",
"resourceGroup": "[parameters('groupName')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups/', parameters('groupName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"comments": "Create a new App Service Plan",
"type": "Microsoft.Web/serverfarms",
"name": "[variables('appServicePlanName')]",
"apiVersion": "2018-02-01",
"location": "[variables('resourcesLocation')]",
"sku": "[parameters('newAppServicePlanSku')]",
"properties": {
"name": "[variables('appServicePlanName')]"
}
},
{
"comments": "Create a Web App using the new App Service Plan",
"type": "Microsoft.Web/sites",
"apiVersion": "2015-08-01",
"location": "[variables('resourcesLocation')]",
"kind": "app",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms/', variables('appServicePlanName'))]"
],
"name": "[variables('webAppName')]",
"properties": {
"name": "[variables('webAppName')]",
"serverFarmId": "[variables('appServicePlanName')]",
"siteConfig": {
"appSettings": [
{
"name": "WEBSITE_NODE_DEFAULT_VERSION",
"value": "10.14.1"
},
{
"name": "MicrosoftAppId",
"value": "[parameters('appId')]"
},
{
"name": "MicrosoftAppPassword",
"value": "[parameters('appSecret')]"
}
],
"cors": {
"allowedOrigins": [
"https://botservice.hosting.portal.azure.net",
"https://hosting.onecloud.azure-test.net/"
]
}
}
}
},
{
"apiVersion": "2017-12-01",
"type": "Microsoft.BotService/botServices",
"name": "[parameters('botId')]",
"location": "global",
"kind": "bot",
"sku": {
"name": "[parameters('botSku')]"
},
"properties": {
"name": "[parameters('botId')]",
"displayName": "[parameters('botId')]",
"endpoint": "[variables('botEndpoint')]",
"msaAppId": "[parameters('appId')]",
"developerAppInsightsApplicationId": null,
"developerAppInsightKey": null,
"publishingCredentials": null,
"storageResourceId": null
},
"resources": [
{
"name": "MsTeamsChannel",
"type": "channels",
"location": "global",
"apiVersion": "2018-07-12",
"kind": "bot",
"properties": {
"channelName": "MsTeamsChannel"
},
"dependsOn": [
"[resourceId('Microsoft.BotService/botServices', parameters('botId'))]"
]
}
],
"dependsOn": [
"[resourceId('Microsoft.Web/sites/', variables('webAppName'))]"
]
}
],
"outputs": {}
}
}
}
]
}
Thanks in advance for any help.
The template just works on the old version of de Azure CLI in our case 2.0.7, so after lots of test and reading we end up deploying this JSON file with Azure CLI 2.7.0 and 2.8.0
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"appId": {
"type": "string",
"metadata": {
"description": "Active Directory App ID, set as MicrosoftAppId in the Web App's Application Settings."
}
},
"appSecret": {
"type": "string",
"metadata": {
"description": "Active Directory App Password, set as MicrosoftAppPassword in the Web App's Application Settings. Defaults to \"\"."
}
},
"botId": {
"type": "string",
"metadata": {
"description": "The globally unique and immutable bot ID. Also used to configure the displayName of the bot, which is mutable."
}
},
"botSku": {
"defaultValue": "F0",
"type": "string",
"metadata": {
"description": "The pricing tier of the Bot Service Registration. Acceptable values are F0 and S1."
}
},
"newAppServicePlanName": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The name of the new App Service Plan."
}
},
"newAppServicePlanSku": {
"type": "object",
"defaultValue": {
"name": "S1",
"tier": "Standard",
"size": "S1",
"family": "S",
"capacity": 1
},
"metadata": {
"description": "The SKU of the App Service Plan. Defaults to Standard values."
}
},
"appServicePlanLocation": {
"type": "string",
"metadata": {
"description": "The location of the App Service Plan."
}
},
"existingAppServicePlan": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Name of the existing App Service Plan used to create the Web App for the bot."
}
},
"existingAppServicePlanResourceGroup": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Name of the resource group for the existing App Service Plan used to create the Web App for the bot."
}
},
"newWebAppName": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The globally unique name of the Web App. Defaults to the value passed in for \"botId\"."
}
}
},
"variables": {
"defaultAppServicePlanName": "[if(empty(parameters('existingAppServicePlan')), 'createNewAppServicePlan', parameters('existingAppServicePlan'))]",
"useExistingAppServicePlan": "[not(equals(variables('defaultAppServicePlanName'), 'createNewAppServicePlan'))]",
"servicePlanName": "[if(variables('useExistingAppServicePlan'), parameters('existingAppServicePlan'), parameters('newAppServicePlanName'))]",
"resourcesLocation": "[parameters('appServicePlanLocation')]",
"webAppName": "[if(empty(parameters('newWebAppName')), parameters('botId'), parameters('newWebAppName'))]",
"siteHost": "[concat(variables('webAppName'), '.azurewebsites.net')]",
"botEndpoint": "[concat('https://', variables('siteHost'), '/api/messages')]"
},
"resources": [
{
"comments": "Create a new App Service Plan if no existing App Service Plan name was passed in.",
"type": "Microsoft.Web/serverfarms",
"condition": "[not(variables('useExistingAppServicePlan'))]",
"name": "[variables('servicePlanName')]",
"apiVersion": "2018-02-01",
"location": "[variables('resourcesLocation')]",
"sku": "[parameters('newAppServicePlanSku')]",
"properties": {
"name": "[variables('servicePlanName')]"
}
},
{
"comments": "Create a Web App using an App Service Plan",
"type": "Microsoft.Web/sites",
"apiVersion": "2015-08-01",
"location": "[variables('resourcesLocation')]",
"kind": "app",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('servicePlanName'))]"
],
"name": "[variables('webAppName')]",
"properties": {
"name": "[variables('webAppName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('servicePlanName'))]",
"siteConfig": {
"appSettings": [
{
"name": "WEBSITE_NODE_DEFAULT_VERSION",
"value": "10.14.1"
},
{
"name": "MicrosoftAppId",
"value": "[parameters('appId')]"
},
{
"name": "MicrosoftAppPassword",
"value": "[parameters('appSecret')]"
}
],
"cors": {
"allowedOrigins": [
"https://botservice.hosting.portal.azure.net",
"https://hosting.onecloud.azure-test.net/"
]
},
"webSocketsEnabled": true
}
}
},
{
"apiVersion": "2017-12-01",
"type": "Microsoft.BotService/botServices",
"name": "[parameters('botId')]",
"location": "global",
"kind": "bot",
"sku": {
"name": "[parameters('botSku')]"
},
"properties": {
"name": "[parameters('botId')]",
"displayName": "[parameters('botId')]",
"endpoint": "[variables('botEndpoint')]",
"msaAppId": "[parameters('appId')]",
"developerAppInsightsApplicationId": null,
"developerAppInsightKey": null,
"publishingCredentials": null,
"storageResourceId": null
},
"dependsOn": [
"[resourceId('Microsoft.Web/sites/', variables('webAppName'))]"
]
}
]
}
Thanks to all.

How to add the existing virtual network into Azure SQL database using Azure ARM Template?

Currently I am working on to deploy the Azure SQL Database into exisiting virtual network using Azure ARM templates.
azuredeploy.json
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"sqlServerName": {
"type": "string",
"metadata": {
"description": "The SQL Servername."
}
},
"databaseName": {
"type": "string",
"metadata": {
"description": "The SQL Database."
}
},
"collation": {
"type": "string",
"metadata": {
"description": "The Collation of SQL Database and SQL Server."
}
},
"edition": {
"type": "string",
"metadata": {
"description": "The edition of SQL Database."
}
},
"maxSizeBytes": {
"type": "string",
"metadata": {
"description": "The maxsize of SQL Database."
}
},
"sqlAdministratorLogin": {
"type": "string",
"metadata": {
"description": "The administrator username of the SQL Server."
}
},
"sqlAdministratorLoginPassword": {
"type": "securestring",
"metadata": {
"description": "The administrator password of the SQL Server."
}
},
"transparentDataEncryption": {
"type": "string",
"allowedValues": [
"Enabled",
"Disabled"
],
"defaultValue": "Enabled",
"metadata": {
"description": "Enable or disable Transparent Data Encryption (TDE) for the database."
}
},
"zoneRedundant": {
"type": "bool",
"defaultValue": false
},
"startIpAddress": {
"type": "string",
"metadata": {
"description": "The start IpAddress"
}
},
"endIpAddress": {
"type": "string",
"metadata": {
"description": "The end IpAddress."
}
},
"sampleName": {
"type": "string",
"metadata": {
"description": "The sampleName."
}
},
"existingVnetName": {
"type": "string",
"metadata": {
"description": "The name of the existing virtual netwok."
}
},
"vnetRuleName": {
"type": "string",
"metadata": {
"description": "The name of the virtual netwrok rule."
}
},
"existingVirtualNetworkResourceGroup": {
"type": "string",
"metadata": {
"description": "The name of the exisitng VNET resource group."
}
},
"subscriptionID": {
"type": "string",
"metadata": {
"description": "The ID of the exisitng azure subscription."
}
}
},
"variables": {
"sqlServerName": "[parameters('sqlServerName')]",
"databaseName": "[parameters('databaseName')]",
"databaseEdition": "[parameters('edition')]",
"databaseCollation": "[parameters('collation')]",
"databaseServiceObjectiveName": "Basic",
"vnetID": "[concat('/subscriptions/', parameters('subscriptionID'), '/resourceGroups/',parameters('existingVirtualNetworkResourceGroup'),'/','Microsoft.Network/virtualNetworks', parameters('existingVnetName'))]",
//"vnetID": "[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/virtualNetworks', parameters('existingVnetName'))]"
},
"resources": [
{
"name": "[variables('sqlServerName')]",
"type": "Microsoft.Sql/servers",
"apiVersion": "2014-04-01-preview",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "SqlServer"
},
"properties": {
"administratorLogin": "[parameters('sqlAdministratorLogin')]",
"administratorLoginPassword": "[parameters('sqlAdministratorLoginPassword')]",
"version": "12.0"
},
"resources": [
{
"name": "[variables('databaseName')]",
"type": "databases",
"apiVersion": "2015-01-01",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "Database"
},
"properties": {
"edition": "[variables('databaseEdition')]",
"collation": "[variables('databaseCollation')]",
"requestedServiceObjectiveName": "[variables('databaseServiceObjectiveName')]",
"maxSizeBytes": "[parameters('maxSizeBytes')]",
"sampleName": "[parameters('sampleName')]",
"zoneRedundant": "[parameters('zoneRedundant')]"
},
"dependsOn": [
"[variables('sqlServerName')]"
],
"resources": [
{
"comments": "Transparent Data Encryption",
"name": "current",
"type": "transparentDataEncryption",
"apiVersion": "2014-04-01-preview",
"properties": {
"status": "[parameters('transparentDataEncryption')]"
},
"dependsOn": [
"[variables('databaseName')]"
]
}
]
},
{
"name": "AllowAllMicrosoftAzureIps",
"type": "firewallrules",
"apiVersion": "2014-04-01",
"location": "[resourceGroup().location]",
"properties": {
"startIpAddress": "[parameters('startIpAddress')]",
"endIpAddress": "[parameters('endIpAddress')]"
},
"dependsOn": [
"[variables('sqlServerName')]"
]
},
{
"comments": "Adding existing VNET to the SQL Server",
"type": "Microsoft.Sql/servers/virtualNetworkRules",
"name": "[concat(parameters('sqlServerName'), '/', parameters('vnetRuleName'))]",
"apiVersion": "2015-05-01-preview",
"scale": null,
"properties": {
"virtualNetworkSubnetId": "[variables('vnetID')]"
},
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('sqlServerName'))]"
]
}
]
}
],
"outputs": {
"sqlServerFqdn": {
"type": "string",
"value": "[reference(concat('Microsoft.Sql/servers/', variables('sqlServerName'))).fullyQualifiedDomainName]"
},
"databaseName": {
"type": "string",
"value": "[variables('databaseName')]"
}
}
}
Before I added this Microsoft.Sql/servers/virtualNetworkRules section into azuredeploy.json file at that time I am able to create the new SQL database into azure.
{
"comments": "Adding existing VNET to the SQL Server",
"type": "Microsoft.Sql/servers/virtualNetworkRules",
"name": "[concat(parameters('sqlServerName'), '/', parameters('vnetRuleName'))]",
"apiVersion": "2015-05-01-preview",
"scale": null,
"properties": {
"virtualNetworkSubnetId": "[variables('vnetID')]"
},
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('sqlServerName'))]"
]
}
But whenever I added this Microsoft.Sql/servers/virtualNetworkRules section into azuredeploy.json file at that time I am not able to create database into existing virtual network and also it doesn’t give any response.
Can anyone please tell me where I did the mistake in the above azuredeploy.json file?
Finally I resolved the above issue by replacing this section of code with Microsoft.Sql/servers/virtualNetworkRules the below lines of code:
{
"comments": "Adding existing VNET to the SQL Server",
"type": "Microsoft.Sql/servers/virtualNetworkRules",
"name": "[concat(parameters('sqlServerName'), '/', parameters('vnetRuleName'))]",
"apiVersion": "2015-05-01-preview",
"scale": null,
"properties": {
"virtualNetworkSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVnetName'), parameters('subnets_default_name'))]",
"ignoreMissingVnetServiceEndpoint": "[parameters('ignoreMissingVnetServiceEndpoint')]"
},
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('sqlServerName'))]"
]
}

Setting Transparent Data Encryption on Azure SQL DB using an ARM Template

Is it possible to turn Transparent Data Encryption on for a SQL Azure DB using an ARM json template? If so, how?
The Template Should look like this.
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serverName": {
"type": "string",
"defaultValue": "TDETest2",
"metadata": {
"description": "The name of the new SQL Server to create."
}
},
"administratorLogin": {
"type": "string",
"metadata": {
"description": "The admin user of the SQL Server"
}
},
"administratorLoginPassword": {
"type": "securestring",
"metadata": {
"description": "The password of the admin user of the SQL Server"
}
},
"databaseName": {
"type": "string",
"defaultValue": "TDETest2",
"metadata": {
"description": "The name of the new database to create."
}
},
"collation": {
"type": "string",
"defaultValue": "SQL_Latin1_General_CP1_CI_AS",
"metadata": {
"description": "The database collation for governing the proper use of characters."
}
},
"edition": {
"type": "string",
"defaultValue": "Basic",
"allowedValues": [
"Basic",
"Standard",
"Premium"
],
"metadata": {
"description": "The type of database to create."
}
},
"maxSizeBytes": {
"type": "string",
"defaultValue": "1073741824",
"metadata": {
"description": "The maximum size, in bytes, for the database"
}
},
"requestedServiceObjectiveName": {
"type": "string",
"defaultValue": "Basic",
"allowedValues": [
"Basic",
"S0",
"S1",
"S2",
"P1",
"P2",
"P3"
],
"metadata": {
"description": "Describes the performance level for Edition"
}
}
},
"variables": {
},
"resources": [
{
"name": "[parameters('serverName')]",
"type": "Microsoft.Sql/servers",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "SqlServer"
},
"apiVersion": "2014-04-01-preview",
"properties": {
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]"
},
"resources": [
{
"name": "[parameters('databaseName')]",
"type": "databases",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "Database"
},
"apiVersion": "2014-04-01-preview",
"dependsOn": [
"[parameters('serverName')]"
],
"properties": {
"edition": "[parameters('edition')]",
"collation": "[parameters('collation')]",
"maxSizeBytes": "[parameters('maxSizeBytes')]",
"requestedServiceObjectiveName": "[parameters('requestedServiceObjectiveName')]"
},
"resources":[
{
"name": "current",
"type": "transparentDataEncryption",
"dependsOn": [
"[parameters('databaseName')]"
],
"location": null,
"apiVersion": "2014-04-01",
"properties": {
"status": "Disabled"
}
}
]
},
{
"type": "firewallrules",
"apiVersion": "2014-04-01-preview",
"dependsOn": [
"[parameters('serverName')]"
],
"location": "[resourceGroup().location]",
"name": "AllowAllWindowsAzureIps",
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
}
}
]
}
],
"outputs": {
"sqlSvrFqdn": {
"type": "string",
"value": "[reference(concat('Microsoft.Sql/servers/', parameters('serverName'))).fullyQualifiedDomainName]"
}
}
}
transparentDataEncryption should be a resource that belongs to an SQL database. Hence I am putting it under the resources of the database template.
However, after testing this template, I get the following error message.
Code : InvalidTemplate
Message : Deployment template validation failed: 'The template resource 'Microsoft.Sql/servers/TDETest2/databases/TDETest2' cannot reference itself. Please see http://aka.ms/arm-template-expressions/#reference for usage details.'.
That means Transparent Data Encryption is not supported yet in ARM Template. I have posted a feature request. Please vote here
Thanks for #JeffBailey. I find out that I have made a mistake in my template, using serverName instead of databaseName in the dependsOn of the transparentDataEncryption. The template has been updated.
You need to add the resource:
"resources":[
{
"name": "current",
"type": "transparentDataEncryption",
"dependsOn": [
"[parameters('databaseName')]"
],
"location": null,
"apiVersion": "2014-04-01",
"properties": {
"status": "Enabled"
}
}
]
And the database version has to be version 12:
"resources": [
{
"name": "[parameters('serverName')]",
"type": "Microsoft.Sql/servers",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "SqlServer"
},
"apiVersion": "2014-04-01-preview",
"properties": {
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"version": "12.0"
},
Now encryption is on by default, you don't need to set it as enabled.

How to turn on Auditing & Threat Detection for Azure SQL Database in ARM Template?

Azure SQL Database Threat Detection feature has been in General Preview since November 2015.
https://azure.microsoft.com/en-us/blog/threat-detection-public-preview/
However, I could not find out how can one turn on this feature and its dependency (Azure SQL Database Auditing) in the ARM template, neither in the Azure Quickstart Templates nor Azure Resource Manager Schema GitHubs links.
azure-quickstart-templates
azure-resource-manager-schemas
Appreciate if anyone who knows can answer on this.
Thanks very much.
Here are 2 sample templates:
First one, enable Auditing and Threat Detection for the whole SQL server.
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serverName": {
"type": "string",
"metadata": {
"description": "The name of the new database server to create."
}
},
"serverLocation": {
"type": "string",
"metadata": {
"description": "The location of the database server."
}
},
"administratorLogin": {
"type": "string",
"metadata": {
"description": "The account name to use for the database server administrator."
}
},
"administratorLoginPassword": {
"type": "securestring",
"metadata": {
"description": "The password to use for the database server administrator."
}
},
"databaseName": {
"type": "string",
"metadata": {
"description": "The name of the new database to create."
}
},
"collation": {
"type": "string",
"defaultValue": "SQL_Latin1_General_CP1_CI_AS",
"metadata": {
"description": "The database collation for governing the proper use of characters."
}
},
"edition": {
"type": "string",
"defaultValue": "Standard",
"metadata": {
"description": "The type of database to create. The available options are: Web, Business, Basic, Standard, and Premium."
}
},
"maxSizeBytes": {
"type": "string",
"defaultValue": "1073741824",
"metadata": {
"description": "The maximum size, in bytes, for the database"
}
},
"requestedServiceObjectiveName": {
"type": "string",
"defaultValue": "S0",
"metadata": {
"description": "The name corresponding to the performance level for edition. The available options are: Shared, Basic, S0, S1, S2, S3, P1, P2, and P3."
}
},
"eventTypesToAudit": {
"type": "string",
"defaultValue":"All",
"metadata": {
"description": "The event type to audit."
}
}
},
"resources": [
{
"name": "[parameters('serverName')]",
"type": "Microsoft.Sql/servers",
"location": "[parameters('serverLocation')]",
"apiVersion": "2014-04-01-preview",
"properties": {
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"version": "12.0"
},
"resources": [
{
"name": "[parameters('databaseName')]",
"type": "databases",
"location": "[parameters('serverLocation')]",
"apiVersion": "2014-04-01-preview",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]"
],
"properties": {
"edition": "[parameters('edition')]",
"collation": "[parameters('collation')]",
"maxSizeBytes": "[parameters('maxSizeBytes')]",
"requestedServiceObjectiveName": "[parameters('requestedServiceObjectiveName')]"
}
},
{
"apiVersion": "2014-04-01-preview",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]"
],
"location": "[parameters('serverLocation')]",
"name": "AllowAllWindowsAzureIps",
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
},
"type": "firewallrules"
},
{
"apiVersion": "2014-04-01-preview",
"type": "auditingPolicies",
"name": "Default",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]",
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/databases/',parameters('databaseName'))]"
],
"properties": {
"auditingState": "Enabled",
"storageAccountName": "<your-storage-account-name>",
"storageAccountKey": "<your-storage-account-key>",
"storageAccountResourceGroupName": "<your-storage-account-resource-group-name>",
"storageAccountSubscriptionId": "<your-storage-account-subscriptionid>",
"eventTypesToAudit": "parameters('eventTypesToAudit')"
}
},
{
"apiVersion": "2015-05-01-preview",
"type": "securityAlertPolicies",
"name": "Default",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]",
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/databases/',parameters('databaseName'))]",
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/auditingPolicies/Default')]"
],
"properties": {
"state": "Enabled",
"disabledAlerts": "",
"emailAddresses": "abcd#efgh.com",
"emailAccountAdmins": "true"
}
}
]
}
]
}
Second one, enable Auditing and Threat Detection only for a specific database.
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serverName": {
"type": "string",
"metadata": {
"description": "The name of the new database server to create."
}
},
"serverLocation": {
"type": "string",
"metadata": {
"description": "The location of the database server."
}
},
"administratorLogin": {
"type": "string",
"metadata": {
"description": "The account name to use for the database server administrator."
}
},
"administratorLoginPassword": {
"type": "securestring",
"metadata": {
"description": "The password to use for the database server administrator."
}
},
"databaseName": {
"type": "string",
"metadata": {
"description": "The name of the new database to create."
}
},
"collation": {
"type": "string",
"defaultValue": "SQL_Latin1_General_CP1_CI_AS",
"metadata": {
"description": "The database collation for governing the proper use of characters."
}
},
"edition": {
"type": "string",
"defaultValue": "Standard",
"metadata": {
"description": "The type of database to create. The available options are: Web, Business, Basic, Standard, and Premium."
}
},
"maxSizeBytes": {
"type": "string",
"defaultValue": "1073741824",
"metadata": {
"description": "The maximum size, in bytes, for the database"
}
},
"requestedServiceObjectiveName": {
"type": "string",
"defaultValue": "S0",
"metadata": {
"description": "The name corresponding to the performance level for edition. The available options are: Shared, Basic, S0, S1, S2, S3, P1, P2, and P3."
}
},
"eventTypesToAudit": {
"type": "string",
"defaultValue":"All",
"metadata": {
"description": "The event type to audit."
}
}
},
"resources": [
{
"name": "[parameters('serverName')]",
"type": "Microsoft.Sql/servers",
"location": "[parameters('serverLocation')]",
"apiVersion": "2014-04-01-preview",
"properties": {
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"version": "12.0"
},
"resources": [
{
"name": "[parameters('databaseName')]",
"type": "databases",
"location": "[parameters('serverLocation')]",
"apiVersion": "2014-04-01-preview",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]"
],
"properties": {
"edition": "[parameters('edition')]",
"collation": "[parameters('collation')]",
"maxSizeBytes": "[parameters('maxSizeBytes')]",
"requestedServiceObjectiveName": "[parameters('requestedServiceObjectiveName')]"
},
"resources":[
{
"apiVersion": "2014-04-01-preview",
"type": "auditingPolicies",
"name": "Default",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/databases/',parameters('databaseName'))]"
],
"properties": {
"auditingState": "Enabled",
"storageAccountName": "<your-storage-account-name>",
"storageAccountKey": "<your-storage-account-key>",
"storageAccountResourceGroupName": "<your-storage-account-resource-group-name>",
"storageAccountSubscriptionId": "<your-storage-account-subscriptionid>",
"eventTypesToAudit": "parameters('eventTypesToAudit')"
}
},
{
"apiVersion": "2015-05-01-preview",
"type": "securityAlertPolicies",
"name": "Default",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/databases/',parameters('databaseName'))]",
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/databases/',parameters('databaseName'), '/auditingPolicies/Default')]"
],
"properties": {
"state": "Enabled",
"disabledAlerts": "",
"emailAddresses": "abcd#efgh.com",
"emailAccountAdmins": "true"
}
}
]
},
{
"apiVersion": "2014-04-01-preview",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]"
],
"location": "[parameters('serverLocation')]",
"name": "AllowAllWindowsAzureIps",
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
},
"type": "firewallrules"
}
]
}
]
}
Note: Please don't forget to replace the information for the storage account.
Actually, Yoav Rubin has already answered your question in comment of the blog. And, I have tested the answer, and have done some refinement.
There was a change in the last week which requires 2 more parameters to the securityAlertPolicies section:
"storageEndpoint": "https://<storage account name>.blob.core.windows.net/",
"storageAccountAccessKey": "<storage account key>"
This is so the service can write the alerts generated to your storage account as well.
The answer from Jack Zeng was close, but (at this point in time) you need auditingSettings to point to blob storage, since security alerting doesn't work with table storage. So add the following auditingSettings and securityAlertPolicies as child resources of the Microsoft.Sql/servers resource.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[parameters('sqlserverName')]",
"type": "Microsoft.Sql/servers",
"location": "[resourceGroup().location]",
"apiVersion": "2014-04-01-preview",
"properties": {},
"resources": [
{
"apiVersion": "2015-05-01-preview",
"type": "auditingSettings",
"name": "Default",
"dependsOn": [
"[parameters('sqlserverName')]",
"[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]"
],
"properties": {
"State": "Enabled",
"storageEndpoint": "[concat('https://', parameters('storageAccountName'), '.blob.core.windows.net/')]",
"storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]",
"storageAccountSubscriptionId": "[subscription().subscriptionId]",
"eventTypesToAudit": "All"
}
},
{
"apiVersion": "2015-05-01-preview",
"type": "securityAlertPolicies",
"name": "DefaultSecurityAlert",
"dependsOn": [
"[parameters('sqlserverName')]",
"[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",
"[concat('Microsoft.Sql/servers/', parameters('sqlserverName'), '/auditingSettings/Default')]"
],
"properties": {
"state": "Enabled",
"disabledAlerts": "",
"emailAddresses": "[parameters('securityAlertPolicyEmails')]",
"emailAccountAdmins": "Enabled",
"retentionDays": "10",
"storageEndpoint": "[concat('https://', parameters('storageAccountName'), '.blob.core.windows.net/')]",
"storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]"
}
}
]
}
]
}
Sources:
The blob storage auditing config is from here: https://blogs.msdn.microsoft.com/azuresqldbsupport/2017/01/11/arm-template-turning-on-blob-auditing/
The threat detection resource config is from here (note that the storage auditing config from this example didn't work for me): https://blogs.msdn.microsoft.com/azuresqldbsupport/2017/01/11/arm-template-to-deploy-server-with-auditing-and-threat-detection-turned-on/

Resources